symantecTM

symantec security response

ISSN 1444-9994

December 2002 Newsletter

2002 Virus Rankings

W32.Klez.H@mm 43%
JS.Exception.Exploit 12%
W32.Bugbear@mm 7%
W32.Klez.E@mm 6%
W95.Hybris.worm 6%
W32.Magistr.39921@mm 4%
W32.Badtrans.B@mm 4%
Backdoor.Trojan 4%
Trojan Horse 4%
W32.Opaserv.Worm 2%
W32.Sircam.Worm@mm 2%
W32.Nimda.enc 2%
JS.Seeker 2%
W32.Yaha.F@mm 1%
VBS.Haptime.A@mm 1%


These are the most common Viruses, Trojans, Worms and Exploits reported to Symantec Security Response during the last month.



Country Spotlight
Denmark

W32.Bugbear@mm
W32.Klez.H@mm
W95.CIH
W32.Funlove.4099
Backdoor.Sdbot
W32.Opaserv.E.Worm
W95.Spaces.1445
Trojan Horse
W32.Opaserv.Worm


Top Global Threats

W32.Klez.H@mm
W32.Bugbear@mm
W95.Spaces.1445
Trojan Horse
JS.Exception.Exploit
W32.Opaserv.Worm
W32.Funlove.4099
W95.Hybris.worm
W32.Nimda.E@mm
HTML.Redlof.A


Asia Pacific
HTML.Redlof.A
W32.Klez.H@mm
JS.Exception.Exploit
W32.Bugbear@mm
W32.Opaserv.Worm
W95.Spaces.1445
W32.Funlove.4099
W32.Opaserv.E.Worm
W32.Opaserv.G.Worm
Trojan Horse

Europe, Middle East & Africa
W32.Klez.H@mm
W32.Bugbear@mm
W95.Spaces.1445
W32.Funlove.4099
JS.Exception.Exploit
W32.Opaserv.Worm
Trojan Horse
W32.Nimda.E@mm
PWSteal.Trojan
W95.Hybris.worm

Japan
W32.Klez.H@mm
W32.Bugbear@mm
W32.Klez.E@mm
HTML.Redlof.A
VBS.LoveLetter.A
W32.Funlove.4099
W95.Hybris.worm
W95.Spaces.1445
W95.Hybris.worm

The Americas
W32.Klez.H@mm
W32.Bugbear@mm
Trojan Horse
JS.Exception.Exploit
W95.Spaces.1445
W32.Opaserv.Worm
W95.Hybris.worm
W32.Funlove.4099
W32.Friendgreet.worm



Removal Tools for malicious code are on our web site

A list of Virus Hoaxes
reported to Symantec

A list of Joke Programs
reported to Symantec.

Glossary for definitions of viruses, Trojans and worms and more.

 

It's the end of our calendar year again, time to review the last twelve editions of the newsletter to summarize the year and make some bold predictions. In doing this I came across the December 2001 edition and read the editorial, I've copied parts of it below, it's an interesting read when you look back over the last twelve months in the IT Security industry and strangely refreshing to look back in this fast moving forward looking industry.
--
Having just attended the annual AVAR Conference and spent a lot of time listening and talking to many people in the industry I think it's safe to say that we'll see more of the same types of threats. This means many more Win32 worms and viruses using traditional virus like techniques integrated with vulnerability exploits and DoS 'features'.

There may well be a rapid adoption of wireless networking and if there is we will see vulnerabilities exposed and exploited. I'll repeat what I've said many times, that is if you want to use wireless, run a VPN (Virtual Private Network) over it to secure the data or use applications that have data encryption build in.

One other prediction I have is that Microsoft will, by the end of the year, have made substantial moves towards securing many of their operating systems and software application platforms. Products like Windows, Internet Information Server (IIS), Internet Explorer (IE), Outlook and Outlook Express will all be more secure, either in anticipation of or as a result of new vulnerabilities being discovered.

--

This years AVAR conference in Korea was an excellent event and next years will be hosted by Symantec in Sydney, Australia. My predictions would be very similar, we are seeing what we now call 'blended threats' more often and expect the complexity and efficiency to increase. Microsoft is making significant headway in the reduction of vulnerabilities in Windows and associated software as are many other software vendors.

I think we'll see an increase in the number of threats targeting Linux, maybe one or two for OS X and if they come down in cost, the emergence of real threats for wireless devices, We still haven't reached a price point which makes these devices pervasive enough to be attractive to writers of malicious code, even though we are already seeing potentially vulnerable devices with integrated PDA, wireless and mobile phone functionality.

Finally I'd like to thank all those who contributed to the Newsletter over the last year and for those of you celebrating the holiday season, happy holidays and good wishes for the new year.

Best Regards

David Banes.
Editor, Symantec Security Response Newletter.


Symantec DeepSight™ Analyzer


Become a part of the global early-warning system for cyber attacks, and in return, receive FREE access to Symantec DeepSight Analyzer, a secure, personalized, Web-based incident console, which provides local incident tracking, personalized incident reports, and the ability to generate attacker notification messages.

IT Professionals can join the community of over 16,000 users in over 180 countries who anonymously and automatically submit suspicious network traffic and intrusion attempts to the Symantec Event Database. This information is used to identify patterns in attacks that help serve as a threat-gauging system for the Internet community, and because it's anonymous, protects your company identity at all times.

In return, Symantec DeepSight Analyzer gives IT professionals the ability to track and manage attacks on their own network. Analyzer consolidates event data from seven different Intrusion Detection System (IDS) products and seven different Firewall products, giving IT professionals a single, comprehensive view of threats against their environment.

Key Features of Symantec DeepSight Analyzer:

Correlate attacks from a multitude of IDS and Firewall logs
Manage your logs via a secure, personalized Web-based console
View detailed information on related vulnerabilities
Schedule statistical reports
Track attacks to resolution
Notify offending networks of attacks

For more information on Symantec DeepSight Analyzer and a FREE download:
http://enterprisesecurity.symantec.com/products/products.cfm?productid=159&EID=0

Viruses, Worms & Trojans

W32.Heovin@mm
Aliases: W32.Holar.C@mm, W32/Holar.c@MM [McAfee], W32/Lagel.A [Panda], Win32.Holar.C [CA], WORM_HOLAR.C [Trend], I-Worm.Galil [KAV]
Risk: Low    
Date: 6th December 2002    

Platforms Affected
Windows 95
Windows 98
Windows NT
Windows 2000
Windows XP
Windows Me
 
Overview
W32.Heovin@mm is a mass-mailing worm that uses Microsoft Outlook to send itself to all contacts in Windows Address Book. It attempts to send a copy of itself to other mIRC users. It also has backdoor capabilities that allows a hacker to remotely control an infected computer. The email message has the following characteristics:

The subject line is one of the following,
Subject: Flash funny pic
or
Subject: Check This update
Message: Check dis out!
Attachment: Funnyflush.pif

This threat is written in the Microsoft Visual Basic programming language.

NOTE: Definitions dated earlier than December 9, 2002, may detect this threat as Bloodhound.W32.VBWORM.
       
Recommendations
Follow this link for removal instructions for W32.Heovin@mm;
http://www.sarc.com/avcenter/venc/data/w32.heovin@mm.html#removalinstructions
       
References
http://www.sarc.com/avcenter/venc/data/w32.heovin@mm.htm
Credit
By Yana Liu, Symantec Security Response, USA.

W32.Brid.B@mm    
Aliases:
Risk:Low    
Date: 18th November 2002    

Platforms Affected
Windows 95
Windows 98
Windows NT
Windows 2000
Windows XP
Windows Me
 
Overview
W32.Brid.B@mm is a variant of W32.Brid.A@mm. It is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses that it finds in .htm and .dbx files. This variant also attempts to terminate the processes of various antivirus and security programs. The email message has the following characteristics,

Subject: [Registered Windows company name]
Message:
Hello,

My name is donkey-virus.
I wish you a merry Christmas and happy new year.

Thank you.

Attachment: Readme.exe
       
Recommendations
Follow this link for removal instructions for W32.Brid.B@mm;
http://pub-cu.symantec.com/avcenter/venc/data/w32.brid.b@mm.html
 
Credit
Peter Szor, Symantec Security Response, USA
References
http://pub-cu.symantec.com/avcenter/venc/data/w32.brid.b@mm.html

Security Advisories

TCPDump / LIBPCap Trojan Horse Vulnerability
Risk:High
Date:13th November 2002
Platforms Affected
Any Linux or FreeBSD applications using the components listed below.
   
Components Affected
LBL libpcap 0.7.1
LBL tcpdump 3.6.2
LBL tcpdump 3.7.1
 
Description
 It has been announced that the server hosting tcpdump and libpcap, www.tcpdump.org, was compromised recently. It has been reported that the intruder made modifications to the source code of tcpdump and libpcap to include trojan horse code. Downloads of the source code of tcpdump and libpcap from www.tcpdump.org, and numerous mirrors, likely contain the trojan code.

Reports say that the trojan will run once upon compilation of tcpdump or libpcap. Once the trojan is executed, it attempts to connect to host 212.146.0.34 on port 1963.

The MD5 sums of the trojaned versions are reported to be:
MD5 Sum 73ba7af963aff7c9e23fa1308a793dca libpcap-0.7.1.tar.gz
MD5 Sum 3a1c2dd3471486f9c7df87029bf2f1e9 tcpdump-3.6.2.tar.gz
MD5 Sum 3c410d8434e63fb3931fe77328e4dd88 tcpdump-3.7.1.tar.gz

The MD5 sums of the non-trojaned versions are:
MD5 Sum 0597c23e3496a5c108097b2a0f1bd0c7 libpcap-0.7.1.tar.gz
MD5 Sum 6bc8da35f9eed4e675bfdf04ce312248 tcpdump-3.6.2.tar.gz
MD5 Sum 03e5eac68c65b7e6ce8da03b0b0b225e tcpdump-3.7.1.tar.gz

The non-trojaned versions of these tools are available at the following locations:
http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/libpcap-0.7.1.tar.gz
http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-3.6.2.tar.gz
http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-3.7.1.tar.gz

Additionally, the trojan displays similarity to those found in irssi, fragroute, fragrouter, BitchX, OpenSSH, and Sendmail
Recommendations
Block external access at the network boundary, unless service is required by external parties.
Filter untrusted network traffic at border routers and network firewalls.

Run all server processes as non-privileged users with minimal access rights.
Perform all tasks with the minimal privileges possible.

It has been recommended that users that require tcpdump or libpcap use either a known, good version of tcpdump 3.62, tcpdump 3.71 or libpcap 0.71.

LBL libpcap 0.7.1:
LBL tcpdump 3.6.2:
LBL tcpdump 3.7.1:
References 
Source: Latest libpcap & tcpdump sources from tcpdump.org contain a trojan.
URL: http://hlug.fscker.com/
Credits
Discovery of this vulnerability credited to Russell Adams , Mathew Solnik , and Scott Stout .
 

Lib CGI Include Buffer Overflow Vulnerability
Risk:High
Date:27th November 2002
Components Affected
Lib CGI Lib CGI 0.1
 
Description
Lib CGI is a freely available, open source CGI library for C programmers. It is available for Unix and Linux operating systems.

It has been reported that a buffer overflow exists in the Lib CGI development library. Due to improper bounds checking in an include file, programs making use of this include, or programs linked against libraries using this include could be vulnerable to a remote buffer overflow attack. This could result in an attacker gaining remote access with the privileges of the web server process.
 
Recommendations
Block external access at the network boundary, unless service is required by external parties.
The filtering of untrusted network traffic may limit unauthorized access to resources, as well as prevent connectivity on arbitrary ports.

Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Use network intrusion detection systems to identify attacks.

Run all server processes as non-privileged users with minimal access rights.
Do not execute server processes with elevated privileges.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .
Lib CGI Lib CGI 0.1:
References 
Source: Remote Frame Pointer Overwrite vulnerability in LIB CGI in Language C.
URL: msg://bugtraq/20021127070501.20954.qmail@hackermail.com
Credits
Vulnerability discovery credited to "dong-h0un U" .
 

Security News

Cyberterrorism and the Home User

Introduction
Over the last several years there has been a consistent increase in the use of the word “cyberterrorism” in the news. You’ve heard about cyberterrorism taskforces, and read about budgets for cyberterrorism defense. After the atrocities of September 11th, 2001, the topic has very much come to the forefront, even though the average computer user would be hard pressed to give a good definition of what cyberterrorism actually is. That’s not surprising, as even many computer security professionals are somewhat confused over the issue too.

As part of Symantec’s ongoing security research we have been looking in detail at this area and exploring the impact this issue is having on many different types of computer user. In this white paper, we will talk about what that research shows and what that means to a home user. Finally, we will examine some steps that you can take to limit the risk posed to your computer, not just by cybterterrorism but by hackers and virus writers as well.

What Is It?
When people discuss the threat posed by cyberterrorism, one of the biggest problems encountered is that there are many different definitions of the term itself. If you ask ten people what cyberterrorism is, you are likely to get many different descriptions. In all of these descriptions, however, there is a common thread: the computer is firmly ensconced as the target of cyberterrorist attack.

While this way of looking at cyberterrorism is popular, there are several problems with it. The most important is that the computer as target is only one facet of a much larger problem – the many faces of terrorism itself. There are many defintions of terrorism. For instance, the United States Federal Bureau of Investigation (FBI) defines terrorism as “The unlawful use of force or violence, committed by a group(s) of two or more individuals, against persons or property, to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives”. The United States Department of Defense (DOD) defines terrorism using a slightly broader brush, calling it “the unlawful use of, or threatened use, of force or violence against individuals or property, to coerce and intimidate governments or societies, often to achieve political, religious or ideological objectives”. The United
States Department of State (DOS) definition states that terrorism is “premeditated, politically motivated violence perpetrated against noncombatant targets by sub national groups or clandestine agents”. Finally, the United Kingdom Terrorism Act 2001 defines the use, or threat of use of political, religious, or idelogical causes with the intent to influence a government or intimidate the public as terrorism – if the act involves serious violence, damage to property, public health, etc.

These are just some of the definitions created by governments as part of an overall strategy to address terrorism, and while they vary, in each case, the definition is functionally relatively close. These definitions not only determine how the various countries and agencies view terrorism, they can be can used to derive the “elements” of terrorism; that is, attributes which terrorist events have. These primary elements are: n People: Which individual, local groups, are involved?

  • Place: What locations are involved in the event?
  • Method: What is the method used in the event?
  • Tool: What tools, or items, are used to carry out the event?
  • Target: What is the target of the event?
  • Affiliation: How are group members affiliated (formally/informally)?
  • Motivation: What is the objective of the event?
  • Outcome. What are the desired, and actual, outcomes of the event?

Just about any terrorist event can be summed up using these eight different elements. But this is just the beginning. Each element carries its own level of complexity. For example, “place” may include where an event transpired, as well as where it was planned, or where funds were raised, etc. A “method” may include not only things like creating fear, but activities like recruiting or generating propaganda. Finally, each of these eight elements can be examined on many levels including the ideological, intellectual, and consequential.

Sound complicated? It is. As you might imagine, adding a computer into the mix complicates things even more. The place for the computer in this list is far further reaching than simply as a “target”; thus, the next step in evaluating the role of the computer in terrorism is to consider all of the possibilities that emerge when the computer is added to each element.

For example, consider the first element, “people”. While a computer cannot (yet) act as the sole perpetrator of a terrorist event, the computer can radically alter interpersonal interactions between people. Anonymization and desensitization can make recruiting easier, and virtual identities can influence group dynamics. Additionally, the Internet complicates the issues of national, subnational and international groupings.

The computer can aid the terrorist in many other ways as well. For example, covert channels can provide for messaging; the web provides a powerful information gathering tool and arena for identity theft; individuals and groups are no longer confined to meeting with like-minded individuals in their own countries… the possibilities are almost endless. However, this raft of possibilities does not mean that we are helpless against the threat of
terrorism aided by computers. A great deal can be and is being done to reduce the risks that we are faced with.

As you can see, computers can play a huge role in any terrorist event, whether or not it takes place in the virtual world. This realization forces us to change radically our assessment of cyberterrorism risks. Corporations are treating computer security issues more seriously. The position of Chief Security Officer is becoming commonplace within corporate America, and security companies like Symantec are continuing to produce the best products in the world to help protect our computing infrastructure. And, home users are learning how they can help exercise diligence in using – and protecting - their home computers..

How does this affect Me?
How does this affect you? The short answer is that it doesn’t, at least not much! The longer answer comes back to the fact that the things that tend to protect your little patch of cyberspace from viruses, worms and hackers are exactly the same things that you need to do to protect yourself from “cyberterrorism”, however you choose to define it. As a reminder, those good computing practices are outlined below (see “What Can I do…”below).

We all need to take the threat of terrorism that involves computers seriously. Symantec is committed to this work, and is working with both government and industry worldwide to help make the global computing infrastructure safe and secure. So, while you may see articles talking about the dangers, most of these probably won’t impact you directly.

Perhaps one of the largest roles that you may play is reducing the risk of causing network outage unintentionally. For example, there have been instances of “Distributed Denial of Service” (DDoS) attacks on the network. In such an attack, the attacker gets lots of computers to overload one particular machine on the network. The attacker does this by installing a “Trojan horse” on many machines, allowing him to launch his attack. You can play a role in preventing this kind of attack by keeping your machine more secure.

What can I do to make my computer more secure?
There are three primary areas in which you should secure your home computer. First, you want to make sure that the data on your machine is confidential. For example, you would not want someone looking through personal finances, which many users keep on their machines. Second, you want to make sure that someone doesn’t change your data without you knowing it. Lastly, you want to make sure that your computer does not lose data –that is, that your data is available to you when you want it. These three facets of security, more properly known as “Confidentiality, Integrity, Availability” form the basis for securing your machine.

For the home user, there are three primary ways that one or more of these pillars of security can be compromised: viruses and worms, hackers, and “natural disasters” (like pouring a can of Jolt cola over your machine!). Fortunately, there are simple and effective ways in which you can protect yourself from each of these threats.

For viruses and worms, use an anti-virus software package; by use, we mean install one and keep it up to date! For users of Symantec’s Antivirus, that is pretty straightforward as the product can be configured to do this for you automatically; if you use someone else’s product, consult your vendor. It’s hard not to overstress the importance of this: it’s quick and easy and provides so much protection!

Hackers can be dealt with in a number of ways. First, if you’re a home user, don’t simply dial in to the Internet without considering that in many instances, not only can you see other computers, but people on those other computers can see you! Consider using a personal firewall (like Norton Personal Firewall), which blocks unauthorized access to your machine. Make sure that you’re protected on all levels, by using integrated products like Norton Internet Security. That way, when you go online, you know that not only are you doing your best to protect your data, you are also helping prevent hackers from using your computer to attack someone else’s!

Finally, make sure that you backup your important files and data. This step is so often overlooked that it’s only noticed after things have gone wrong when it is too late. Consider how much time and energy you have spent configuring your computer and entering data into it. Isn’t that worth spending a few minutes protecting?

Conclusion
Although the issue of Cyberterrorism sounds daunting, it really does not change a great deal for the home user. Being responsible in the way we use our computers is simply that: being responsible. If you take care of your machine, this complex issue is very unlikely to affect your home computer use. Happy computing!

Sarah Gordon
Senior Research Fellow
Symantec Security Response

 
 
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support emails please. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter_regions/en.html Send virus samples to: avsubmit@symantec.com
Disclaimer- THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.

This message contains Symantec Corporation's current view of the topics discussed as of the date of this document. The information contained in this message is provided "as is" without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document. This document may not be distributed for profit.

Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials may not be published in other documents without the express, written permission of Symantec Corporation.